IAAC Directors' Guides
Some time back I bumped into a handy management guide on information risk - a double-sided leaflet from the Information Assurance Advisory Council. In 2015, it inspired a security awareness briefing explaining that colourful process diagram, which has now morphed into a further 5-page briefing on Information Risk Management, soon to join the SecAware ISMS templates.
Googling for the IAAC guide led me to a cluster of FREE Directors' Guides from the IAAC offering useful, relevant guidance for senior management:
Googling for the IAAC guide led me to a cluster of FREE Directors' Guides from the IAAC offering useful, relevant guidance for senior management:
- Why Information Risk is a Board Level Issue - is a backgrounder including this apt and succinct explanation:
"Information Risk encompasses all the challenges that result from an organisation’s need to control and protect its information."
- Governance and Structures - describes directors' governance responsibilities relating to information risk:
"Directors need to put in place the arrangements and processes by which responsibilities are distributed and significant information risk decisions are to be made and reviewed."
- Information Risk Management Approach - encourages directors to support the remainder of the organisation in fulfilling their responsibilities for information risk, ensuring strategic alignment between risk management and business objectives.
- Realising the Benefits - outlines the business benefits of good information risk management in terms of: efficiency; agility; manageability; exploitation of new opportunities (more confidently expanding into new areas of business); customer retention; brand strengthening; cost-efficient compliance; and dealing efficiently with incidents.
"Good information risk mitigation supports organisational strategies and tactical agility rather than limiting them."
- Information risk mitigation - a double-sided leaflet (actually about information risk management - not just mitigation) mentions this often-overlooked aspect:
"Information risk mitigation processes normally deal with each risk situation in isolation.The regular review of risks should include a reckoning to ensure the aggregate risk position does not grow out of proportion to expectations or to the organisation’s risk tolerance."
- Regulation and Legislation - outlines directors' compliance responsibilities relating to information risk and security, privacy etc. This guide mostly discusses the need to avoid penalties and liabilities (including directors' personal liabilities as officers), touching only briefly on the idea of a 'principles based' approach - in other words, going beyond the mandatory minimum. I would have preferred it to emphasise that proactive compliance can be good for business e.g. strategic planning to become compliant with new laws and regs by the most efficient route, taking advantage of corporate change initiatives and projects.
- Cyber Security and Information Assurance:Scenarios for Directors - uses five business situations as case studies to brief directors on the kinds of issues they might get involved and be expected to deal with. We find case studies very useful to scratch beneath the surface of complex topics, engaging, informing and motivating people to take notice.
- Creating a Strong Information Handling Culture - promotes the idea that corporate culture ('How we do things here') can and should be guided by senior management towards information risk and security awareness, mentioning:
"It is not sufficient for the leaders of the organisation just to acknowledge in words that information is valuable and that risks must be mitigated. They must portray it through their decisions and actions. Staff develop their understanding of the organisation’s culture more by what they see than by what they hear."
Hear hear! The advice is sound, although incomplete - for example I didn't notice any mention of resilience and business continuity (although that is a concern of IAAC, elsewhere), nor of 'offensive security' (actively exploiting third parties' information security vulnerabilities for the organisation's business advantage - obviously raising ethical concerns).
Sound advice like this is valuable both as it stands, and as a basis to develop awareness materials, strategies, policies and procedures.
Sound advice like this is valuable both as it stands, and as a basis to develop awareness materials, strategies, policies and procedures.